Giters

p0dalirius / smbclient-ng

smbclient-ng, a fast and user friendly way to interact with SMB shares.

Home Page:https://podalirius.net/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Syntax for kerberos auth

7MinSec opened this issue · comments

commented

Hi,

I'm sure I'm missing something obvious but can't get a session going with Kerberos auth. I stole a TGT on a pentest, converted it to a .ccache. I can use the TGT properly with netexec.

In smbclientng I'm not sure about the syntax - is this right?

smbclientng --host somedesktop.domain.com -k --kdcHost dc.domain.com -d domain.com

I get a big barf error:

Traceback (most recent call last):
  File "/home/kali/.local/bin/smbclientng", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/home/kali/.local/lib/python3.11/site-packages/smbclientng/__main__.py", line 124, in main
    sessionsManager.create_new_session(
  File "/home/kali/.local/lib/python3.11/site-packages/smbclientng/core/SessionsManager.py", line 59, in create_new_session
    smbSession.init_smb_session()
  File "/home/kali/.local/lib/python3.11/site-packages/smbclientng/core/SMBSession.py", line 140, in init_smb_session
    self.connected = self.smbClient.kerberosLogin(
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/lib/python3.11/site-packages/impacket/smbconnection.py", line 319, in kerberosLogin
    return self._SMBConnection.kerberosLogin(user, password, domain, lmhash, nthash, aesKey, kdcHost, TGT,
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/lib/python3.11/site-packages/impacket/smb3.py", line 718, in kerberosLogin
    seq_set(authenticator, 'cname', userName.components_to_asn1)
  File "/home/kali/.local/lib/python3.11/site-packages/impacket/krb5/asn1.py", line 81, in seq_set
    seq.setComponentByName(name, builder(component, *args, **kwargs))
                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/kali/.local/lib/python3.11/site-packages/impacket/krb5/types.py", line 150, in components_to_asn1
    name.setComponentByName('name-type', int(self.type))
                                         ^^^^^^^^^^^^^^
TypeError: int() argument must be a string, a bytes-like object or a real number, not 'PrincipalNameType'
```
commented

Oh I think I'm good to go now - this appears to work:

smbclientng --host somehost.domain.com --kdcHost dc01.domain.com -d domain.com -k -u "user-I-have-TGT-for" --no-pass

Maybe give an example in your documentation for future folks who run into this?